Senate Judiciary Committee Holds Hearing on ECPA

April 6, 2011. The Senate Judiciary Committee (SJC) held a hearing titled "The Electronic Communications Privacy Act: Government Perspectives on Protecting Privacy in the Digital Age". SJC members expressed opinions, and heard testimony from government witnesses. The SJC previously held another hearing for private sector witnesses.

The Electronic Communications Privacy Act (ECPA), which was enacted in 1986, includes the Stored Communications Act (SCA). The Congress has amended it since, but the ECPA has not kept pace with technological changes. At issue is what standards apply when the government wants to access different types of information or data.

The federal government, and especially representatives of the Department of Justice (DOJ), oppose changes in law that would limit the ease and speed with which the government can access other people's communications and data.

One year ago a coalition named Digital Due Process (DDP) announced a set of four principles which the DPP members argue should be incorporated into the federal statutes that regulate government searches and seizures of stored communications and data.

These DPP principles state, for example, that the "government should obtain a search warrant based on probable cause before it can compel a service provider to disclose a user's private communications or documents stored online" and it "should obtain a search warrant based on probable cause before it can track, prospectively or retrospectively, the location of a cell phone or other mobile communications device".

See also, story titled "Digital Due Process Coalition Proposes Changes to Federal Surveillance Law" in TLJ Daily E-Mail Alert No. 2,068, March 31, 2010.

Sen. Patrick Leahy (D-VT), the Chairman of the SJC, stated in his opening statement that "there is general agreement that ECPA has become outdated by vast technological advances and changing law enforcement missions since the law's initial enactment".

He also stated that "a few core principles should guide our work. Meaningful ECPA reform must carefully balance privacy rights, public safety and security. Reforms must also encourage American innovation and instill confidence in American consumers, law enforcement and the business community."

Sen. Patrick LeahySen. Leahy (at right) elaborated that "ECPA is a law that is hampered by conflicting standards that cause confusion for law enforcement, the business community and American consumers alike. For example, the content of a single e-mail could be subject to as many as four different levels of privacy protections under ECPA, depending on where it is stored, and when it is sent. There are also no clear standards under that law for how and under what circumstances the Government can access cell phone or other mobile location information when investigating crime or national security matters."

Sen. Charles Grassley (R-IA), the ranking Republican on the SJC, said that "we need to hear from the law enforcement community ... to ensure that we do not create loopholes that make it harder for law enforcement to do their jobs".

He said that "the 86 statute struck a balance between privacy and law enforcement". He added that "there is clearly a tension between the two points", and now the Senate needs to strike that balance again.

The witnesses were Cameron Kerry, General Counsel at the Department of Commerce (DOC), and James Baker, Associate Deputy Attorney General at the DOJ.

Baker wrote in his prepared testimony [12 pages in PDF] that the ECPA is important to criminal and national security investigations. He stated that the Congress "should refrain from making changes that would unduly impair the government's ability to obtain critical information necessary to build criminal, national security, and cyber investigations" and that the "Congress should also recognize that raising the standard for obtaining information under ECPA may substantially slow criminal and national security investigations."

The DOC's National Telecommunications and Information Administration (NTIA) issued a notice of inquiry (NOI) on April 23, 2010, regarding the nexus between privacy policy and innovation in the internet economy. See, notice in the Federal Register, April 23, 2010, Vol. 75, No. 78, at Pages 21226-21231. See also, NTIA web page with hyperlinks to comments.

On December 16, 2010, it released its report [88 pages in PDF] titled "Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Privacy Framework". That report concluded that the Obama administration should review the ECPA "with a view to addressing privacy protection in cloud computing and location-based services."

The SJC heard no testimony from information technology and communications companies, law professors or legal experts, or privacy advocates. However, the SJC held a hearing on September 22, 2010 at which it heard from Jim Dempsey (Center for Democracy and Technology and leader of the DDP coalition), Brad Smith (Microsoft), and Jamil Jaffir. See, prepared testimony [16 pages in PDF] of Dempsey, prepared testimony [13 pages in PDF] of Smith, and prepared testimony [15 pages in PDF] of Jaffer.

Neither the DOC, DOJ, nor President Obama have issued any written recommendations for amending the ECPA. Kerry said that "we have been in active discussion", and the DOC is prepared to work with the SJC in drafting legislation. Sen. Leahy said that he wants to see the "administration's recommendations".

Baker said that "we have been working on a whole range of issue", that "we have made substantial progress", but that the administration has more work to do.

Sen. Leahy asked what is the DOJ policy regarding the "legal standard for government to access cell phone location information". Baker said that for accessing GPS data the DOJ needs to obtain a court warrant, but that for cell site location it obtains a court order under a lower standard than for a warrant.

Sen. Sheldon Whitehouse (D-RI), a former federal prosecutor (U.S. Attorney for the District of Rhode Island during the Clinton administration), questioned whether there is a cognizable privacy right under the 4th Amendment in one's location.

Sen. Grassley referenced the proposals of the DDP coalition regarding using the probable cause standard for location information. He asked, "do you support raising the legal standard"? Baker said that "if we raise the standard, it would impact law enforcement", and "it would be more difficult".

Sen. Grassley asked if raising the standard would unduly burden prosecutors and the courts. Baker said, referring to pen register and location information, that "we use that information as the basic building blocks" of an investigation, and to build probable clause for "the more intrusive types of techniques".

Sen. Al Franken (D-MN) suggested that currently under the ECPA "privacy protections are far too weak" in the context of location information.

Sen Al FrankenSen. Franken (at right) also said that "Minnesota is home to a lot of so called cloud computing businesses". He said that he heard from one of these businesses that informed him that "they are loosing business because they can't definitively tell their prospective customers when and how the government will access their information". He asked "how can we amend ECPA to help businesses" like this one.

Sen. Christopher Coons (D-DE) asked how U.S. law compares to that in Europe under the European Data Privacy Directive.

Sen. Richard Blumenthal (D-CT) discussed the recent Epsilon data breach, and stated that he has asked for an investigation. He asked whether there is a need for more explicit restrictions in sharing information by companies, and whether this should be part of ECPA reform.

The U.S. Court of Appeals (3rdCir) issued its opinion [PDF] in In the Matter of the Applications of the United States of America for an Order Directing a Provider of Electronic Communication Service to Disclose Records to the Government, App. Ct. No. 08-4227, on September 7, 2010. That opinion is also reported at 620 F.3d 304.

The 3rd Circuit held that "the SCA does not contain any language that requires the Government to show probable cause as a predicate for a court order under" 18 U.S.C. 2703(d) for cell site location information (CSLI) from cell phone calls. It also held that the court may reject the government's application even when it has met the statutory standard.

Kerry wrote in his prepared testimony [11 pages in PDF] that "There have been a series of decisions from district courts and magistrates on this issue, without any consensus about what the law including section 2703(d) of ECPA requires. The Third Circuit was the first appellate court to consider the question. It concluded that a court may refuse to issue an order pursuant to section 2703(d) to enable the government to obtain cell location information, even if the government satisfies the legal standard set forth in that section. At the same time, the Third Circuit articulated no clear standards to guide lower courts' exercise of the discretion it accorded them. Congress should examine ECPA's standards and procedures concerning government access to such information, and ensure that principled reasons continue to support those standards and procedures." (Footnotes omitted.)

Baker wrote in his prepared testimony that "The appropriate legal standard for obtaining prospective cell-site information is not entirely uniform across the country. Judges in many districts issue prospective orders for cell-site information under the combined authority of a pen/trap order under the Pen Register statute and a court order under ECPA based upon ``specific and articulable facts. ... Starting in 2005, however, some magistrate and district judges began rejecting this approach and holding that the only option for compelled ongoing production of cell location information is a search warrant based on probable cause. Courts' conflicting interpretations of the statutory basis for obtaining prospective cell-site information have created uncertainty regarding the proper standard for compelled disclosure of cell-site information, and some courts' requirement of probable cause has hampered the government's ability to obtain important information in investigations of serious crimes. Legislation to clarify and unify the legal standard and the proper mechanism for obtaining prospective cell-site information could eliminate this uncertainty."

He also wrote that "Legislation could address" the 3rd Circuit's "interpretation of 2703(d), under which a court is free to reject the government's application even when it meets the statutory standard".

On December 14, 2010, the U.S. Court of Appeals (6thCir) issued its opinion [98 pages in PDF] in US v. Warshak, which involves application of the 4th Amendment to the government's ex parte seizure of approximately 27,000 of Warshak's private e-mails. The Court of Appeals held that a subscriber enjoys a reasonable expectation of privacy in the contents of emails that are stored with, or sent or received through, a commercial ISP. The government may not compel a commercial ISP to turn over the contents of a subscriber's emails without first obtaining a warrant based on probable cause. See, story titled "6th Circuit Rules There Is A Reasonable Expectation of Privacy In Stored E-Mail" in TLJ Daily E-Mail Alert No. 2,179, December 15, 2010.

Kerry wrote that US v. Warshak "is the law only in the Sixth Circuit, and the U.S. government is determining whether to seek Supreme Court review. Until such time as the Court squarely addresses the issue, the law as to what protection the Fourth Amendment affords to the messages and other customer content transmitted and stored electronically will be unsettled, and the resulting uncertainty will create challenges for consumers, businesses, and law enforcement. As Congress reassesses ECPA, one clear goal should be establishing clear and consistent rules in the area for the new communications marketplace."

Kerry also wrote that "An important subject for legislative consideration is whether there should be identical statutory protections regardless of whether a user stores information on a provider's computer or locally in the user's own computer. In determining whether to modify ECPA's current framework with respect to customer content, Congress should be guided by two overarching considerations. First, there should be a principled relationship between the legal protections and procedures that apply to law enforcement access to electronic information (including both content and customer identification and transactional information) and the legal protections and procedures for comparable materials in the physical world. What those legal protection and procedures are should be determined by reference to a number of factors, including the privacy expectations of the parties involved, who has access to or control of the information, and the reasonable needs of law enforcement and national security."